kaniko VS podman

It spins up a GitHub Actions runner pool inside your cluster. When you push code, the runner builds your containers using Kaniko and deploys everything to the cluster. Your app gets real Postgres, Redis, Kafka, or whatever you need — already configured and wired up.

Kaniko Build Images in Kubernetes Without Docker For secure image builds inside CI/CD pipelines.

AFAIU this is because it manually detects changes in a given image layer by walking the directory tree. See also https://github.com/GoogleContainerTools/kaniko/issues/875

kaniko <https://github.com/GoogleContainerTools/kaniko>, ko <https://github.com/ko-build/ko>, bazel <https://github.com/bazel-contrib/rules_oci>, apko <https://github.com/chainguard-dev/apko>, or other tools.

Each of those has tradeoffs compared to Dockerfiles (I have no need for bazel, but if I did, then adding `rules_oci` might be a win-win, rather than using a Dockerfile). If I used Nix, then the Nix dockerTools would be a huge win (I don't use Nix). If I were shipping Go programs, `ko` would likely be a good baseline.

Kaniko is a tool from Google that builds container images from a Dockerfile inside a container or Kubernetes cluster without requiring privileged mode:

Docker runs a long-lived background daemon (dockerd), traditionally as root. Every CLI call talks to it over a socket. Podman doesn't. Each podman invocation is just a regular process you run as your own user.

Our setup is completely local. We will use exclusively Podman. All the executions are done on Windows 11 using Command Prompt terminals under VScodium. You might need to apply some minor changes for your environment (if any).

A development container (devcontainer) describes the developer environment as an OCI image (often built with a Dockerfile). The usual runtime is Docker, but tools such as Podman are compatible with the same workflow. For simplicity, this chapter assumes Docker is installed on your machine.

Podman installed, RamaLama uses it as the default container engine

Podman was another tool that I discovered during this project. This was the first time that instead of using Docker — which is the de facto standard container management tool (at least this is my impression so far) — I had to work with another container management tool. The front-end of both tools are pretty much the same meaning that you can use the same commands (e.g. container, image, run, build, inspect) with minor differences, so getting used to it was not a big deal. The main difference is at the back-end: Docker runs a service called daemon on your host while Podman is daemon-less. In a nutshell, the Docker daemon is responsible for listening for Docker API requests and managing the Docker resources. It runs continuously in the background (even if no containers are running) and requires root level privilege. Due to this, it’s considered to be less secure because if your daemon gets compromised, all your containers gets compromised. Contrary to Docker, Podman is daemon-less: It runs containers as child-processes and it can run them with non-root privilege as well.

There are a bunch of options to run containers locally on macOS. In addition to the dominant Docker Desktop, there are other excellent tools like OrbStack, Podman/Podman Desktop and even a solution from Apple starting with macOS 26 (Tahoe).

The most common one I run into is with volumes, when the full path doesn't already exist. Docker will just make the path, Podman throws an error. It's been called a "bug" in docker but the fact is everyone just expects the paths to be created. I want it to just work, not make everyone in the industry redo their dockerfiles to be "correct."

https://github.com/containers/podman/issues/6234

It looks like there was some work done to resolve this in 2024 but I know this was still happening for me in early 2025. Podman is technically correct here but functionally broken in a way that keeps pushing me away because I don't have time to deal with that :(